How to slow down the API Requests in Express

In this tutorial, we will learn about how to slow down the number of API requests made by an each user in express app using express slow down middleware.

What is Express slow down?

Express slow down is a rate-limiting middleware for express, that slows down the responses send to the user rather than blocking the API requests with a warning message.

You can also check out my previous tutorial about rate limiting the api requests in express.

Installing express-slow-down

Let’s install the express-slow-down package from the npm by running the following command in your terminal.

npm install express-slow-down

Slowing down the API requests (for all routes)

In this example, we are limiting each user (IP address) to 50 requests for 15 minutes.

It means, If the users make more than 50 requests, we are adding a delay to each request for 1000 milliseconds (that is 1 second).

for 51st request, the delay is 1000ms, 52nd request the delay is 2000ms, 53rd request the delay is 3000ms, etc.

const express = require("express");
const slowDown = require("express-slow-down");const app = express();

app.enable("trust proxy"); // enable, if you're behind a reverse proxy
//(Heroku, Bluemix, AWS if you use an ELB, custom Nginx setup, etc)

const speedLimiter = slowDown({
  windowMs: 15 * 60 * 1000, // 15 minutes
  delayAfter: 50, // allow 50 requests per 15 minutes, then...
  delayMs: 1000 // begin adding 1000ms of delay per request above 50:
});

app.use(speedLimiter); // apply to all routes
app.get("/users", (req, res) => {
  res.send('hello')
});


app.listen(3000, () => console.log(`App is running`));

Slowing down the particular routes

If you want to slow down the api requests for particular routes instead of all routes in your express app, like /create-account/ route or /reset-password/ route, you can do it like this.

const express = require("express");
const rateLimit = require("express-rate-limit");const app = express();

app.get("/users", (req, res) => {
  res.send('hello')
});

const accountLimiter = rateLimit({
   windowMs: 15 * 60 * 1000, // 15 minutes
   delayAfter: 20, // 20 requests
   delayMs: 2000 // adding 2000ms delay
});

app.post('/create-account', accountLimiter, (req, res) => {   // your logic
   res.send('account is created');
});

app.listen(3000, () => console.log(`App is running`));

In the above example, we are slowing the API requests made to the /create-account route.

Bonus

Express slow down middleware also adds a req.SlowDown object to all requests with the following properties.

limit: The options.delayAfter value (defaults to 1).

current: The number of requests in the current window.

remaining: The number of requests remaining before rate-limiting begins.

resetTime: When the window will reset and current will return to 0, and remaining will return to limit (in milliseconds since epoch - compare to Date.now()). Note: this field depends on store support. It will be undefined if the store does not provide the value.

delay: Amount of delay imposed on current request (milliseconds).